Since the service became generally available in December we got an overwhelming feedback from customers and partners. We are very happy to see real traffic from the first customers and are working on improving the service and implementing some of your suggestions.
In the last few days several changes have been rolled out:
Improved SharePoint & Office experience with MSO-FBA
Microsoft Office Form Based Authentication (MSO-FBA) is an authentication protocol that allows Office clients such as Word, PowerPoint and Excel to authenticate to SharePoint servers. We have made several changes in Application Proxy to support MSO-FBA to improve the experience.
The relevant scenarios include opening a document using Office client applications from within SharePoint Web pages and opening documents stored in SharePoint directly from Office clients, without Web interaction, e.g. opening documents from the “most recently used” list.
Allow to disable host translation
We have added a new application configuration option to disable host translation in request and response HTTP headers:
By default, Application Proxy connectors are replacing the hostname in the request headers that are sent by the client device to the hostname of the backend server:
When this translation is disabled, the original hostname will be sent to the backend applications instead of the one that correspond to the backend application hostname:
Similar process also happens in the HTTP response headers.
In some scenarios, it is useful to have the original host header to differentiate between an internal traffic and traffic coming from Application Proxy. This is the case with some SharePoint Alternate Access Mapping (AAM) configurations.
We found out that many customers were replacing their Forefront UAG and Forefront TMG with Azure AD Application Proxy. These products had this option turned on by default and therefore, many backend applications in such organizations accepted this type of requests. By adding this control to Azure AD Application Proxy we allow these organization to upgrade without making any change to backend applications. We are happy to provide smoother installation and UAG/TMG migration enablement options and looking for more cases like that.
Support for AAD Basic
As we promised, we have enabled Application Proxy also for users that have the Azure Active Directory Basic license. This opens new opportunities for organizations as AAD Basic is a license that targets workers within the organization that are not information workers and have modest IT needs. In many cases, these users doesn’t have a managed device and use their personal or shared device. These users can now access on-prem applications via Application Proxy.
Application Proxy license requirements for end users are enforced in two places:
In the Access Panel - only users with appropriate license will see tiles for proxy applications
When Application Proxy is pre-authenticating a user for a proxy application, it is verifying that she has appropriate license.
This is validation is on top of the regular authorization rules such as users assignment to application or access rules.
As part of this process we made our licensing enforcement more robust and revised some of the error messages so they would be more meaningful and provide accurate information for the end users and IT admin.
Under the hood
All of the above changes have a clear impact on the end-user and admin experiences. At the same time, we are also making lots of changes under the hood to assure the service is working properly, at scale, and adhere to the topmost security standards. We constantly measure the service performance and try to find ways to improve it.
One such change is starting to use Azure Service Bus Relay to establish connectivity between the connectors and the Service. This slightly change the networking patter since the connector now uses for outbound traffic also port 9352 to the Azure data center. Ports 20200-20210 that are currently used will be deprecated over time. Customers doesn't need to update their connectors as the connectors automatically update themselves.
As usual, we would be happy to hear your feedback and suggestions. Our inboxes are full with emails coming from this blog – and we LOVE that.
We have several big and highly desired features that we are currently working on and will be made public over the coming weeks. We will keep you posted via this blog and the AD team blog.